On Aug 21, 2008, at 4:25 PM, Paul Moore wrote:
Another update to the labeled networking patches for 2.6.28. This
revision
adds some small fixes, the dead-code removal patch posted earlier,
and the big
addition ... wait for it ... full LSM label/context support for local
connections. This is accomplished by creating a new, private CIPSO
tag type
(allowed by the spec with a tag number > 127) which carries the
LSM's secid
value, allowing full LSM contexts to be carried across local
connections
without the headaches of labeled IPsec.
For those of you interested in testing this out, you will need the
latest
from the netlabel_tools addrsel branch, revision 74 or higher should
work.
If you enable the new local labeling you will almost certainly need
to run
SELinux in permissive mode since I'm fairly certain the current
policies don't
have the necessary allow rules. With that said, enabling the new
local
labeling is pretty easy ...
Paul created a 2.6.26 patch which I've been testing with excellent
results in Fedora 9. Local (lo and ethN) labeled networking is more
reliable than the IPSec equivalent and does not have the IPSec SA
creation latency. I'll push this to a larger set of developers and
testers next week and report any issues.
joe
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
